[Bug 404183] Add user purge option to uamlite

purge_expired_users option was added to uamlite chart to allow purging of old
user accounts and the data in their home directories.

Addressed a corner case where the user could lose system access by specifying
ssh key(s) only for the built-in account.

Change-Id: Iccfc914eea219521a290c2b5949ccc2d40d8dbb6
This commit is contained in:
Craig Anderson 2018-04-10 01:20:11 +00:00
parent 73e7437b9b
commit e9d71dedb0
3 changed files with 59 additions and 9 deletions

View File

@ -95,12 +95,20 @@ add_sshkeys(){
(rm "${sshkey_file}" && die "Error setting ownership on ${sshkey_dir}")
log.INFO "User '${user_name}' has had SSH keys deployed: ${user_sshkeys}"
fi
custom_sshkeys_present=true
# In the event that the user specifies ssh keys for the built-in account and
# no others, do not expire the built-in account
if [ "${user_name}" != "${builtin_acct}" ]; then
expire_builtin_acct=true
fi
fi
}
{{- if hasKey .Values.conf "uamlite" }}
{{- if hasKey .Values.conf.uamlite "purge_expired_users" }}
purge_expired_users={{ .Values.conf.uamlite.purge_expired_users | quote }}
{{- end }}
{{- if hasKey .Values.conf.uamlite "users" }}
{{- range $item := .Values.conf.uamlite.users }}
{{- range $key, $value := . }}
@ -126,8 +134,14 @@ if [ -n "$(getent passwd | grep ${keyword} | cut -d':' -f1)" ]; then
IFS=$'\n'
for user in ${revert_list}; do
# We expire rather than delete the user to maintain local UID FS consistency
usermod --expiredate 1 ${user}
log.INFO "User '${user}' has been disabled (expired)"
# unless purge is explicity requested (remove user and user home dir).
if [ "${purge_expired_users}" = "true" ]; then
deluser ${user} --remove-home
log.INFO "User '${user}' and home directory have been purged."
else
usermod --expiredate 1 ${user}
log.INFO "User '${user}' has been disabled (expired)"
fi
done
unset IFS
fi
@ -149,7 +163,7 @@ fi
if [ -n "${builtin_acct}" ] && [ -n "$(getent passwd ${builtin_acct})" ]; then
# Disable built-in account as long as there was at least one account defined
# in this chart with a ssh key present
if [ "${custom_sshkeys_present}" = "true" ]; then
if [ "${expire_builtin_acct}" = "true" ]; then
if [ "$(chage -l ${builtin_acct} | grep 'Account expires' | cut -d':' -f2 |
tr -d '[:space:]')" = "never" ]; then
usermod --expiredate 1 ${builtin_acct}

View File

@ -511,11 +511,24 @@ _test_user_enabled(){
test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
tr -d '[:space:]')" = "never"
else
# If the user exists, verify it's not non-expiring
if [ -n "$(getent passwd $username)" ]; then
test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
tr -d '[:space:]')" != "never"
fi
# Verify user is not non-expiring
getent passwd $username >& /dev/null
test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
tr -d '[:space:]')" != "never"
fi
}
_test_user_purged(){
username=$1
# Verify user is no longer defined
getent passwd $username >& /dev/null && \
echo "Error: User '$username' exists, but was expected it to be purged" && \
return 1
if [ -d /home/$username ]; then
echo "Error: User '$username' home dir exists; expected it to be purged"
return 1
fi
}
@ -631,6 +644,19 @@ test_uamlite(){
_test_user_enabled ${USERNAME4} false
_test_sudo_enabled ${USERNAME4} false
echo '[SUCCESS] uamlite test3 passed successfully' >> "${TEST_RESULTS}"
# Test purge users flag
overrides_yaml=${LOGS_SUBDIR}/${FUNCNAME}-set3.yaml
echo "conf:
uamlite:
purge_expired_users: true" > "${overrides_yaml}"
install_base "--values=${overrides_yaml}"
get_container_status uamlite
_test_user_purged ${USERNAME1}
_test_user_purged ${USERNAME2}
_test_user_purged ${USERNAME3}
_test_user_purged ${USERNAME4}
echo '[SUCCESS] uamlite test4 passed successfully' >> "${TEST_RESULTS}"
}
# test daemonset value overrides for hosts and labels

View File

@ -120,6 +120,7 @@ access. Ex::
conf:
uamlite:
purge_expired_users: false
users:
- user_name: testuser
user_sudo: True
@ -127,6 +128,15 @@ access. Ex::
- ssh-rsa AAAAB3N... key1-comment
- ssh-rsa AAAAVY6... key2-comment
An update to the chart with revmoed users will result in those user's accounts
being expired, preventing those users any access through those accounts. This
does not delete their home directory or any other files, and provides UID
consistency in the event the same account gets re-added later, and they regain
access to their files again.
However, if it is desired to purge expired and removed accounts and their home
directories, this may be done by the ``purge_expired_users`` option to ``true``.
Node specific configurations
----------------------------